What is the CVSS score of CVE-2025-5623?

CVE-2025-5623 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.0%.

Which versions of Dir 816 Firmware are affected by CVE-2025-5623?

A critical remote code execution vulnerability (CVSS 9.8) affects D-Link DIR-816 routers running firmware 1.10CNB05, with public exploits now available.

Is there a public PoC exploit available for CVE-2025-5623?

Yes, a public proof-of-concept exploit is available for CVE-2025-5623. Prioritise patching immediately. EPSS: 1.0%.

How to fix or mitigate CVE-2025-5623?

Within 24 hours: Identify and inventory all D-Link DIR-816 devices in production and isolate affected units from critical networks if possible. Within 7 days: Implement network segmentation to restrict administrative access to these devices and deploy WAF/IDS rules blocking requests to /goform/qosClassifier endpoint with buffer overflow payloads. Within 30 days: Replace affected routers with supported alternatives from current vendors, or if replacement is infeasible, establish a dedicated VLAN with strict egress filtering and continuous monitoring for exploitation attempts.

Dir 816 Firmware CVE-2025-5623

EUVD-2025-16940 CRITICAL

Buffer Overflow (CWE-119)

2025-06-05 cna@vuldb.com

RCE Buffer Overflow D-Link Dir 816 Firmware

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:53 euvd

EUVD-2025-16940

Analysis Generated

Mar 14, 2026 - 17:53 vuln.today

PoC Detected

Jun 06, 2025 - 15:42 vuln.today

Public exploit code

CVE Published

Jun 05, 2025 - 00:15 nvd

CRITICAL 9.8

DescriptionNVD

A vulnerability was found in D-Link DIR-816 1.10CNB05. It has been classified as critical. This affects the function qosClassifier of the file /goform/qosClassifier. The manipulation of the argument dip_address/sip_address leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Critical stack-based buffer overflow vulnerability in D-Link DIR-816 1.10CNB05 affecting the qosClassifier function's dip_address/sip_address parameters. This unauthenticated, remotely exploitable flaw allows attackers to achieve complete system compromise (confidentiality, integrity, and availability impact). The vulnerability affects end-of-life products no longer receiving vendor support, with public exploit disclosure and confirmed proof-of-concept availability increasing real-world exploitation risk.

Technical ContextAI

The vulnerability exists in the /goform/qosClassifier endpoint of D-Link DIR-816 (CPE: cpe:2.3:o:d-link:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:*), a consumer-grade wireless router. The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), specifically a stack-based buffer overflow. The qosClassifier function fails to properly validate the length of user-supplied input in the dip_address and sip_address parameters before copying them into fixed-size stack buffers. This lack of bounds checking allows attackers to overflow the stack, potentially overwriting saved return addresses and other critical data structures. The affected endpoint is accessible without authentication due to missing access control checks (contributing to CVSS AV:N/AC:L/PR:N), making this a particularly severe implementation flaw typical of legacy embedded device firmware.

RemediationAI

Immediate remediation options are severely limited due to end-of-life status: (1) Hardware replacement: Discontinue use of DIR-816 equipment and migrate to current-generation D-Link routers with active security support; (2) Network isolation: If immediate replacement is not feasible, isolate affected DIR-816 devices to restricted network segments with strict ingress/egress filtering, preventing internet-facing exposure; (3) Access control: Implement network-level access controls (firewall rules, ACLs) to block unauthorized access to the /goform/qosClassifier endpoint on port 80/443; (4) Monitoring: Deploy network intrusion detection signatures to monitor for exploitation attempts targeting this endpoint; (5) No patch available: D-Link will not release firmware patches for this end-of-life product. Firmware upgrades to newer DIR-816 versions (if available) should be evaluated but are not guaranteed to address this vulnerability without vendor confirmation. Do NOT rely on workarounds as a long-term solution—replacement is the only permanent fix.